(Archived) Changing password does not seem to do anything - old apps still connect

[mlevin77 2]

Today I got an email from Evernote about the Adobe passwords stolen by hackers, with the advice to change my Evernote password. I went on-line to the website and changed my Evernote password. I also see a lot of posts on the forum about changing one's password if a device is stolen, to keep people from accessing your data.  But I noticed that my various devices (Mac, iPad, iPhone) can still sync with the Evernote server and pull down new data (changes in my notes) even though they still have the old password! This means that if hackers had connected to my account with their devices, my changing the main password on the website won’t stop their access anymore than it stopped the access from my client apps from my Mac and my iPhone – if they had access before, they will still have access now because of this “keep me logged in” feature, right?  I don't understand how the Evernote server can continue to send data to a client that no longer has the correct password. It seems like a huge security hole. I was chatting about this with an Evernote support person, and they said they'd talk to the developer and "hang on a minute" and then disconnected me after 5 minutes waiting. I have no idea what happened but I never got an answer to this. Does anyone know? How to truly disable people's access by changing my primary password if that doesn’t seem to affect clients that connected before the password change?

[gazumped 11,664]

Still seems to me like you want a blanket guarantee that 'there are no unknown security holes' when 'unknown security holes' are,  by definition,  "unknown" and therefore logically it's impossible to make that statement.  Change your password regularly and decide what level of risk you're comfortable with.  Outside that level take your own precautions as have been discussed here in great depth.

[Jackolicious 808]

Reposting myself from earlier. Closing the thread.

Evernote uses a variation of a technology called OAuth for authentication. When you sign into the Evernote service with a client, an auth token is generated for your client. That token will grant access forever (not technically forever, but close enough) so that you don't have to log that client in again. That way, passwords don't get sent around unnecessarily every time you open that application in perpetuity. This method is also considered to be much more secure for long-term client-server authentications. A byproduct of this is that when you change your password on the service, you will not have to log in again into any of your clients because they have already authenticated with the service. However, any new signins will require the updated password. 

 

As mentioned earlier, if you'd like to de-authorize any existing logged in applications, you can do so from https://www.evernote.com/AuthorizedServices.action

[Jackolicious 808]

yep, this is ok *if* that list is guaranteed to show every single client that ever connected (i.e., if we are guaranteed that any unauthorized accesses are listed there for us to de-authorize). Is that the case - do we know that this page will list every client that ever connected?

Yes. Support can give you more information if you'd like. Closing this thread so people who search find the answer more quickly.

[mlevin77 2]

> passwords don't get sent around unnecessarily every time you open that application in perpetuity. This method is also considered to be much more secure for long-term client-server authentications.

 

   that sounds great, but couldn't you provide a new button such that when pressed (rarely, only in the event of a breach or suspected breach), will revoke all tokens and *require* all connections to provide the current password before the server gives out any data. It seems that there should be such an option.

 

> if you'd like to de-authorize any existing logged in applications, you can do so from https://www.evernote...Services.action

 

   yep, this is ok *if* that list is guaranteed to show every single client that ever connected (i.e., if we are guaranteed that any unauthorized accesses are listed there for us to de-authorize). Is that the case - do we know that this page will list every client that ever connected?

 

thank you,

Mike

[Jackolicious 808]

Evernote uses a variation of a technology called OAuth for authentication. When you sign into the Evernote service with a client, an auth token is generated for your client. That token will grant access forever (not technically forever, but close enough) so that you don't have to log that client in again. That way, passwords don't get sent around unnecessarily every time you open that application in perpetuity. This method is also considered to be much more secure for long-term client-server authentications. A byproduct of this is that when you change your password on the service, you will not have to log in again into any of your clients because they have already authenticated with the service. However, any new signins will require the updated password. 

 

As mentioned earlier, if you'd like to de-authorize any existing logged in applications, you can do so from https://www.evernote.com/AuthorizedServices.action

[mlevin77 2]

Makes sense; but it would be nice to add an option upon central password change to immediately revoke all existing tokens and have the server ask all connections to re-authorize. If there's ever a security breach, this would be a very useful option.

[sonofjon 2]

Sure, but turning the phone off and on often does not prompt for login in these cases. Either because an authentication token was download to the phone at the initial sign-in and this token continues to be valid even after a central change of password, or, because the user checked "stay singed in" at the initial sign-in.  

[gazumped 11,664]

If you're continuing an existing connection session,  the device won't make you log in again until that session is over - like if you switch the device off and back on,  and then try to connect.

[sonofjon 2]

Just final comment to note that this this behaviour (that clients keep being able to access data after a password change) is not at all uncommon. At least on Android devices I've noticed many different apps with this flaw. In fact it is quite uncommon for such apps to provide a central page where devices can be revoked (as in Evernote's case).

[mlevin77 2]

Update - finally got a reply from Evernote tech support.  As I suspected, this is indeed a security issue (a real, well-defined one - not a mysterious unknown as Gazumped suggested):

 

"I understand your point entirely and I will make sure that your feedback is passed on directly to our development team.  The Security of our user's accounts of our users is very important to us. I apologise, that I did not have a solution for you at the moment, hopefully we will have new features added soon."
 

I am hopeful that bringing this to their attention will trigger a fix. At the very least they should implement the option of forcing their server to require a valid password for any connection from a client. Seems like a minimal requirement for any secure client-server system.

[mlevin77 2]

> Still seems to me like you want a blanket guarantee that 'there are no unknown security holes'

 

   not at all. I am talking about a clearly-described, potential *known* security hole. I'd like for Evernote tech support to address it and tell me that either 1) they already thought of this and that web page lists EVERY client that ever connected, so that we could de-authorize them when changing the password (issue solved), or 2) it wasn't guaranteed, but are going to patch it so that in the future it will list all clients that connect (or better yet, include an option to deauthorize every client and only allow the server to send data to clients that provide the correct current password - that seems like a basic option to have).

[mlevin77 2]

It's not about my mood; I ask the question to find out more about this issue and to see what others thing about it and why they are not concerned (if they're not). We can't simply accept that the Internet is inherently insecure; of course it is, but part of making good decisions about how much security to give up for useful features is knowing what the holes are.  Anyone with valuable data should want to know if a hole exists, and if so, whether the company intends to patch it. I understand we can never get rid of unknown holes, but once we suspect there is one, I think the smart thing to do is to see if it's real and try to fix it.  I have seen that people in the forum suggested that all prior devices should be listed there; I hope this is true. If Evernote replies to my trouble ticket and confirms this, then I'm set. But they haven't done that; I haven't heard that officially this is the case. Indeed the tech support agent I was talking to didn't have an answer to this, which didn't make me think that I was worried over nothing and they had it covered - it made me worry that they didn't dispel my question as a novice concern with a clear answer.  "Stuff that you don't know about is impossible to define" isn't quite relevant here; I have a very simple, well-defined scenario here. If as you say "there could be things that wouldn't be listed here", then there is a problem: changing your password will not automatically allow you to keep out unauthorized users that had once gotten access to it. That seems to me like a basic issue, not an  imaginary mysterious problem we can't anticipate. So what do I suggest be done about it? Well, I love Evernote and want to keep using it, so what I'd like is for Evernote tech support to address my question and tell me that either 1) they already thought of this and that web page lists EVERY client that ever connected, so that we could de-authorize them when changing the password, or 2) they didn't guarantee it until now, but have now patched it and in the future it will list all clients that connect (or better yet, include an option to deauthorize every client and only allow the server to send data to clients that provide the correct current password - that seems like a basic option to have).

[gazumped 11,664]

Ok; I did ask them. First in chat, where the rep said "let me check with a developer" and then disconnected on me after 5-6 minutes of waiting, and then in email, where it's been a few days and all I got so far was a reply saying "sorry for the long delay, we'll get back to you". I have a feeling this is a real security issue and they are discussing it...

 

Sounds to me like you're not in the mood to believe anyone who says anything other than 'major security issue' so why bother asking?  The page you were referred to lists all authorised access to your account.  There could be things that wouldn't be listed there,  but by definition the stuff you don't know about is impossible to define.  Since storing information on the internet (or on any computer you don't totally control) is inherently insecure,  what would you suggest be done about it?

[mlevin77 2]

Ok; I did ask them. First in chat, where the rep said "let me check with a developer" and then disconnected on me after 5-6 minutes of waiting, and then in email, where it's been a few days and all I got so far was a reply saying "sorry for the long delay, we'll get back to you". I have a feeling this is a real security issue and they are discussing it...

[sonofjon 2]

I don't know the answer to your question, but I think it might be safe to assume that all devices that have ever been connected to your account would be listed on that page. Ask Evernote support if you need further confirmation.

[mlevin77 2]

Actually there is a way to handle this. Go to Evernote on the Web / Account Settings / Applications. There you can revoke access to any devices you don't want to have access to your data anymore. I just tried this on one of my devices and it triggered a re-login prompt on the device that I revoked access for.

 

     Are we guaranteed that every client that has ever connected is listed here? That is, I've managed to revoke access to my own devices, but are we sure that anyone else who might have had access to the account (and is "keeping logged in") is listed there for me to revoke?  Could there be hackers who got into the account and can still access it because their device doesn't show up for me to revoke?

[sonofjon 2]

Actually there is a way to handle this. Go to Evernote on the Web / Account Settings / Applications. There you can revoke access to any devices you don't want to have access to your data anymore. I just tried this on one of my devices and it triggered a re-login prompt on the device that I revoked access for.

[mlevin77 2]

> Changing you password should trigger a re-login process on all devices. Yes it is a security hole.

 

   that's what I thought; weirdly, the tech support person at Evernote with whom I was talking about this could not understand what I meant.

 

> If you have access to your devices you can always sign out and sign in, but if a device was stolen or lost you're screwed.

 

   yeah but I'm worried about devices that are not mine - that might have connected to the account previously and are owned by someone else. Do we have a guarantee that all such devices are visible on that web page and can be signed out?

[sonofjon 2]

This is the same on Windows, and I agree that it's a very weird and unexpected behavior. Changing you password should trigger a re-login process on all devices. Yes it is a security hole.

 

On one of my devices (Windows) a little pop-up appeared after a while saying I needed to re-authorize my account, but I don't know what triggered it. The expected behavior would be for this to happen immediately! On other devices no such pop-up ever appeared.

 

If you have access to your devices you can always sign out and sign in, but if a device was stolen or lost you're screwed.

[mlevin77 2]

To clarify, the advice to change your Evernote password was only if it was the same as your Adobe password.  And it's never a good idea to use the same password for different accounts, for this very reason. 

"Evernote has not been compromised and is not connected to this incident, but if you used the same password for Adobe and Evernote, then you should change your Evernote password now."

WRT your question, I'd guess if you elect to "keep me logged in", then the app won't ask for a password.  Which is also why it's a good idea to use the PIN code on your device. 

WRT third party apps accessing your Evernote account, you can go to your settings on the Evernote website & revoke authorization.

 

   I understand they didn't take Evernote info directly, and my passwords were not the same. I also have a PIN code on my device.  But I decided to change the main password anyway (it's time), and came across what seems like a general problem.

 

Suppose a hacker did find your password somehow. You found out, and want to change the main password to keep them out. But, if they - on their own device - set the "keep me logged in", then no matter how you change your password, they can keep getting in, right?  Or is it the case that EVERY device that ever accessed my account (including any unauthorized access) would be listed on the website and I could revoke their authorization? If not, then I don't see how this isn't a major security hole.

[BurgersNFries 2,407]

Today I got an email from Evernote about the Adobe passwords stolen by hackers, with the advice to change my Evernote password. I went on-line to the website and changed my Evernote password. I also see a lot of posts on the forum about changing one's password if a device is stolen, to keep people from accessing your data.  But I noticed that my various devices (Mac, iPad, iPhone) can still sync with the Evernote server and pull down new data (changes in my notes) even though they still have the old password! This means that if hackers had connected to my account with their devices, my changing the main password on the website won’t stop their access anymore than it stopped the access from my client apps from my Mac and my iPhone – if they had access before, they will still have access now because of this “keep me logged in” feature, right?  I don't understand how the Evernote server can continue to send data to a client that no longer has the correct password. It seems like a huge security hole. I was chatting about this with an Evernote support person, and they said they'd talk to the developer and "hang on a minute" and then disconnected me after 5 minutes waiting. I have no idea what happened but I never got an answer to this. Does anyone know? How to truly disable people's access by changing my primary password if that doesn’t seem to affect clients that connected before the password change?

 

To clarify, the advice to change your Evernote password was only if it was the same as your Adobe password.  And it's never a good idea to use the same password for different accounts, for this very reason. 

 

"Evernote has not been compromised and is not connected to this incident, but if you used the same password for Adobe and Evernote, then you should change your Evernote password now."

 

WRT your question, I'd guess if you elect to "keep me logged in", then the app won't ask for a password.  Which is also why it's a good idea to use the PIN code on your device. 

 

WRT third party apps accessing your Evernote account, you can go to your settings on the Evernote website & revoke authorization.